Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow passing in AWS credentials instead of only using environment variables #1766

Closed
aliciazavala opened this issue Mar 5, 2024 · 2 comments
Assignees
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@aliciazavala
Copy link

aliciazavala commented Mar 5, 2024

Is your feature request related to a problem? Please describe.
Yes, the current implementation of the library only allows for AWS credentials to be passed via environment variables or metadata endpoint. This can be limiting in scenarios where the user wants to pass credentials dynamically or when they want to use different credentials for different services.

Describe the solution you'd like
I would like the library to be updated to allow AWS credentials to be passed in as parameters to the relevant functions or methods. This would provide more flexibility and control to the user over which credentials to use.

Describe alternatives you've considered
An alternative could be to allow the user to set the credentials in a configuration file that the library can read from. However, this might not be as flexible as passing the credentials directly to the functions or methods.

Additional context
This feature would be particularly useful in multi-account AWS setups, where different services might be running under different accounts. Being able to specify the credentials at the function or method level would make it easier to manage such setups.

Here's a rough idea of what I'm suggesting:

constructor(
options: AwsClientOptions,
additionalOptions?: AuthClientOptions
) {
super(options, additionalOptions);
this.environmentId = options.credential_source.environment_id;
// This is only required if the AWS region is not available in the
// AWS_REGION or AWS_DEFAULT_REGION environment variables.
this.regionUrl = options.credential_source.region_url;
// This is only required if AWS security credentials are not available in
// environment variables.
this.securityCredentialsUrl = options.credential_source.url;
this.regionalCredVerificationUrl =
options.credential_source.regional_cred_verification_url;
this.imdsV2SessionTokenUrl =
options.credential_source.imdsv2_session_token_url;
this.awsRequestSigner = null;
this.region = '';
this.credentialSourceType = 'aws';

 constructor(
    options: AwsClientOptions,
    additionalOptions?: AuthClientOptions,
    awsCredentials?: AwsSecurityCredentials,
  ) {
    super(options, additionalOptions);
    this.environmentId = options.credential_source.environment_id;
    // This is only required if the AWS region is not available in the
    // AWS_REGION or AWS_DEFAULT_REGION environment variables.
    this.regionUrl = options.credential_source.region_url;
    // This is only required if AWS security credentials are not available in
    // environment variables.
    this.securityCredentialsUrl = options.credential_source.url;
    this.regionalCredVerificationUrl =
      options.credential_source.regional_cred_verification_url;
    this.imdsV2SessionTokenUrl =
      options.credential_source.imdsv2_session_token_url;
    this.awsRequestSigner = null;
    this.region = '';
    this.credentialSourceType = 'aws';
    this.awsCredentials = awsCredentials || null;

and the retrieveSubjectToken() function
https://github.com/googleapis/google-auth-library-nodejs/blob/6a6e49634863f61487688724d0d20632e03f0299/src/auth/awsclient.ts#L164-#L169

      this.awsRequestSigner = new AwsRequestSigner(async () => {
        // Check provided credentials first
        if (this.awsCredentials) {
          return this.awsCredentials;
        }
        // Check environment variables for permanent credentials next.
        // https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html
        if (this.securityCredentialsFromEnv) {
          return this.securityCredentialsFromEnv;
        }

@aliciazavala aliciazavala added priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. labels Mar 5, 2024
@aliciazavala
Copy link
Author

@danielbankhead
Copy link
Contributor

Resolved in v9.9.0:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Development

No branches or pull requests

3 participants